Fraud or feature?

Dual use technologies are everywhere. Myself and colleagues have been presenting Phish and Chips, and the Man-in-the-Middle Defence at the Security Protocols Workshop this week, in which we describe how the EMV protocol suite can be modified in unintended ways, and that a card interceptor can be used for both fraudulent and beneficial activities.

A second example is how the waters in which internet phishermen angle for account details regularly become muddied by the marketing departments of enterprising banks. Every once in a while, these chaps manage to send out genuine emails entreating the user to click on the link in the email, or to navigate to a site not clearly part of the bank’s site, then provide their personal details.

Today I discovered that the same dilemma has been playing out in the fight to secure the fascia of cash machines against the attachment of illicit skimmers. I was off to work promtly this morning, to open up shop for an ITN TV crew doing a piece on Chip and PIN. After cleverly managing to miss my train, I was forced to take a rather expensive taxi ride to Cambridge — so much so that I had to have the taxi stop for me to withdraw some cash. It was then that I spotted this device attached to the slot of the Barclays Bank ATM on White Horse road in Baldock, Hertfordshire.

It’s a grotty little metal attachment clipped over the card slot. Pressed for time though I was, I didn’t like the idea of feeding my card through the thing. I had a quick go and dislodging it from the slot but it wouldn’t seem to budge, and on closer inspection it appeared the device had taken damage in the corner, presumably from a previous attempt to remove it. The second image taken looking up at the device shows that it is quite clearly “stuck on”.

I decided to play it safe and went to the Nationwide ATM round the corner instead. For that matter this more familiar looking ATM helpfully displayed a number that I might call to report a suspicious looking device, and I did just that. Settling back in the taxi and thinking I tried to decide if this modification to the fascia was genuine. Was it feature or fraud?

Once we’d exorcised the camera crew from the building that morning, I showed off the photos to my colleagues. Now I have done a fair bit of research into skimming, including compiling a list of pictures of ATM skimmers for my Phantom Withdrawals site, and a study of the cost and difficulty of making a skimmer which could attach to the chip card slot of a Point-of-Sale terminal, the design of which is reported on my interceptor page and in a previous LBT post Chip and Skim. Also we were aware that anti-fraud attachments have been trialled on Barclays ATMs about a year ago. But for the life of me, I did not know for certain whether this was a genuine skimmer, or a product of my own paranoia and Barclays unusual decision to literally “release a patch” for their ATM.

Now there are clearly a small number of people who could answer this question in seconds: a policeman from the fraud unit, or a Barclays security manager. But then what chance does the average customer have of identifying skimming and phishing attacks if even an ATM security researcher like myself who is familiar with the threat, and who has an analytical mind, is still unable to make his mind up? What about education education education? Poster initiatives have been trialled to show pictures of how the genuine machine should look, and some Barclays ATMs now display photographs of how the card slot should look on their own colour screens — much more expensive to counterfeit than the poster. So what are dynamics of arms races involving educating and re-educating customers, who will win this one, and what will the POS skimmer arms race look like?

My final hunch remains that the device probably was a genuine barclays anti-fraud device, even though I was fooled at first into reporting it as suspicious. There is a neat argument why it is genuine: cash machines now strictly tell customers “DO NOT REMOVE ANY SUSPICIOUS LOOKING DEVICES” in capitals on the main screen. I used to think that this was so they could retrieve and forensically analyse the devices, but now I have a new theory… too many customers were trying themselves to lever off Barclays’ own suspicious looking devices! That even explains the damage to the device shown in the first photo. Credit to Barclays for making such efforts to combat phantom withdrawals, but this is a race which is far from being won.

Frank asked me to repost this reply to the blog (originally sent to the security group mailing list).

“Barclays in London came up with a very good idea. The last time I withdrew cash it displayed a picture on the screen showing the various approved card-reading devices. The message said that if the card reader was not pictured here I should not use the machine but call Barclays immediately.”

Unfortunately, he also pointed out that this is only part of a slideshow, so not all users will see this warning.

The Barclays in Cambridge has a similar device (as I discovered last night) but it is likely /not/ to be a skimmer for the simple reason both the chip and magnetic stip pass through the thinnest piece of the shim rather than the thick bit that could have a skimmer on it.

I don’t think this was a London-only feature: I’ve seen it in Cambridge for months. However I think it could have been implemented more securely. The image you mention is only one of a large number in a publicity slide-show that is continuously running while the ATM is not in use. You don’t “get” it before inserting your card, unless you are lucky or make a point of watching the whole show. If you get it later, chances are your magstripe and pin were already stolen. So all of the following 3 alternatives would be nicer than the behaviour I observed in the Barclays ATMs I visited:

(1, preferred)
Ensure the warning about the fake readers is seen BEFORE the person inserts the card, with a forcing function. Something to the effect of “Does the slot look like this or this or this? yes/no.” Lock the slot, so that no card can be inserted, until the user presses yes.
It does require more button presses.

(2)
Display the warning before insertion (means they can’t do the slide show), but no forcing function. Easier to operate, but easier to ignore.

(3)
After insertion (magstripe potentially already stolen), put up a screen saying “if the slot doesn’t look like any of the above, then DON’T ENTER YOUR PIN!!!”

Instead, the current behaviour often translates to

(4)
On completion of the transaction, you get shown the picture of what the slot should have looked like. If it doesn’t look like that, you’ve already been screwed—especially if you are told not to remove the suspicious device and don’t fancy waiting there in the cold until the forensic investigator comes to do it for you.

cash machines now strictly tell customers “DO NOT REMOVE ANY SUSPICIOUS LOOKING DEVICES” in capitals on the main screen. I used to think that this was so they could retrieve and forensically analyse the devices, but now I have a new theory…

I thought they did that to protect the physical safety of their customers, following that case a few months back where a customer removed the suspicious looking device and was attacked by the crook who had planted it who didn’t want to lose the expensive digital camera and gear he’d spent time building!

Maybe there is some physical/implementation issue I am not aware of, but wouldn’t it all be simpler/better if ATMs were a flat slab with a single flat slot for the card and a touchscreen monitor?
No paper slips to throw away at the nearest bin, no piggy-back hardware on keys or card reader…
Further, the whole alcove should have no features such as brochure holders, posters, stickers or anything else that might be obscuring a camera.
This new-look would be “retro” enough for the marketing folks to deem as cool and as a differentiating feature. win-win.

Srijith,
>and what if I really need a receipt?
Easy. You step into the bank and get one. Or, you go on-line and print one. Explain why you “really” need it.

What I meant by the “nearest bin” was that a lot of people throw away their slips and other bank material there… and those can be easily picked by a crook. If I was corrupt, I would place a bin between the bank’s entrance and the ATMs; I’m sure it would yield “useful” information.

In some countries, ATMs allow for a non-receipt transactions. I just think it should be always the case; anything that is printed on the slip, could be viewed on the monitor. If you need evidence, get it from the teller.

I once discovered a “malicious device” stuck to an HSBC machine, and removed it. Whilst I was calling the police, I was assaulted by someone – in fact two people – who wanted it back badly. They got it and ran off, I got through to the Bill, and later that night a copper left a message on my voice mail – but not a name, phone number or badge number. Great work, Surrey Police.

Removing receipts has this kind of logic:
Because banks have failed to implement high quality, hard to defraud designs, we should trust them more and forego receipts.

Forgive me if I do not follow the logic.

I use receipts to track my withdrawals. If I make an ATM deposit (I rarely do) I keep that receipt until the deposit hits. Despite the belief to the contrary, ATMs can err! Receipts perform both dispute resolution and tracking functions.

I already bear the cost of flawed design in risk of loss and distribution of fraud cost. I would rather not you waste my time with the ridiculous idea that receipts are the problem.

A flat design is also a very bad idea. Making something uniformly awful to use may be a popular idea in security, but that does not make it correct. It seems a better interaction with an active device would be a good step forward. Maybe a white paper to the BIS is in order, for the next round of examination of risk management in banking.

Jean Camp wrote:I would rather not you waste my time with the ridiculous idea that receipts are the problem

Chill out Jean, no need to be so agressive in arguing your counter-point!

I personally think Saar’s idea of a flat slab ATM is rather neat. However, I think the flat slab paradigm which is so good for protecting against unauthorised attachments does not preclude receipts… after all it’s gonna have to have a slot for the cash to come out, yes? Three small flat slits in a totally flat TFT enabled panel, one for the card, one for the money, one for the receipt.

The “Should ATMs print receipts?” discussion seems somewhat redundant, as the solution is both obvious and already widely implemented. At least in Britain, all ATMs that I ever used asked me whether I would like to have a receipt printed or not. This is not only the securest and most customer-friendly solution that I can think of, it also helps to keep the streets cleaner and reduces maintenance costs. I’m, therefore, very surprised to hear that optional ATM recipts are not common practice today globally. Sounds like a “no-brainer” to me, as they say in the US.

On receipts:
These are definitely valuable. i once had an ATM deliver less than I asked for, but the receipt matched the delivery, however the debit to my account was for the request amount. That receipt and a lot of argument saved me rather a lot of hard-earned money. ATMs do lie!

Saar,
I appreciate your point about wanting simplicity in the design so that it is difficult to fashion plausible skimmers, but I do not see how removing the option for printed receipts help achieve such a goal. Clearly, printed receipts can prove invaluable for resolving a dispute with the bank, as personally demonstrated by some of the comments above. Furthermore, your proposal for obtaining receipts from the bank is unrealistic — (1) it removes the ‘automated’ from ATM, driving up operational costs and (2) you may not realise you need the receipt until you get an incorrect bank statement next month!

Basically, there is a substantial benefit to providing the option for receipts when compared to the very minor increase in design clutter. The same may not be said for brochure holders.

Tyler wrote:Basically, there is a substantial benefit to providing the option for receipts when compared to the very minor increase in design clutter. The same may not be said for brochure holders

Hehe, sorry to continue heckling, but as per my own point, a flat ATM design would not preclue receipts. On the economics of brochure holders, are you sure Tyler? I guess the question is economical for whom? I dare say the uptake of extra savings accounts/mortages/pet insurance etc. versus the extra risk of phantom withdrawal cameras falls firmly in favour of having the brochure holders, from the point of view of the bank.

That said, a flat ATM with a full TV screen could do some funky advertising.

Question: What other modifications will ATMs of the future have? If ATM designers can think of a way to make sound part of the authentication system (maybe via a bluetooth headset which by then are permanently glued to people’s heads) then they can blast people with full sound and video adverts while they wait for authorisation…

I guess ATMs sit on some uncomfortable middle ground between face to face banking (v. expensive but great for sales) and internet banking (v. cheap but probably crap for sales).

[note: my previous comment got messed up due to an improperly terminated tag; I removed it, here is the “better” version]

OK, I’ll bite 🙂

To reiterate my two distinct points:

1. Make it difficult to attach/install/hide any sort of extra/unintended/malicious or otherwise equipment on and
around the ATM. Doing this by making the ATM’s design “simpler.” Simpler = one flat slot and a touchscreen monitor (of course, with allowance for use by people with disabilities.) If someone can explain to me why this is counter-productive, insecure or “uniformly awful” (eye-candy is a valid argument, but falls under the “personal taste” category, so let’s leave that out)
to the function of ATMs dispensing cash, I’d appreciate it. There is no reason to make anything more “user-friendly” than it needs to be; feature creep is most often the reason why systems fail or become unmanageable/inefficient.

2. Eliminate receipts since their value is outweighed by the fact that people throw them at the nearest bin, providing account information to dumpster divers. (Sure, with the added value of keeping “my” ATM design simpler, but that is secondary.)

From a real-world threat perspective, maybe that assertion
is not accurate, although the threat is still there. I’ll also agree that an option (default = off) for receipts would be/is “nice” for people who actually keep track of them. Some do, I recognize; I don’t.

However, I’d like to address the two functions receipts have that were brought up in the comments above.

Deposits (in the US, not sure of the UK): The receipt one gets for deposits is useless as *proof* since the depositor decides the value that is printed on it. One can “deposit” a blank envelope and claim it contained a check for $10,000 and receive a receipt to that effect. The banks will not accept that as evidence and will request the depositor to have the check issuer write a new one. The receipts here are of no real value as a dispute mechanism.

Withdrawals: In John Holmes’ case, the ATM did not fail… it produced the right records. What failed were the mechanisms supporting the ATM. As such, receipt or not, it would have been just as easy for the bank to examine the ATM’s records (which I think they did anyway, regardless of the show of receipt.) In this case, sure, the receipt had some further value, perhaps in convincing a feisty teller, although the same outcome could have been had without it, IMO.

Given time, every system will fail, including ATMs. I could not find (google) statistics of ATM failure rate but my guess is that it is very very low (really, it has to be.) If anyone has ATM MTBF numbers, please share.

Mike Bond’s comment that That said, a flat ATM with a full TV screen could do some funky advertising. reminded me of the “funky advertising” at Defcon, which I blogged at The Alexis Park ATMS are Perfectly Safe.

More seriously, I think that a peaceful, predictable experience helps users notice things which are out of the ordinary. The goal of advertising is to attract attention, and that attention is taken away from other things.

I’ll offer a prediction: ATMs with ‘funky advertising’ will have higher error and fraud rates.

Thas so true fraud or feature. When i first saw one out a Barclays ATM cashpoint i got quite worried. I thought it was a magnetic stripe skimmer as it was protruding. So i left it and went to another atm round the corner.